14.9.Â Access Control Lists

Access Control Lists (ACLs) extend the
standard UNIXÂ® permission model in a POSIXÂ®.1e compatible way.
This permits an administrator to take advantage of a more
fine-grained permissions model.

The FreeBSD GENERIC kernel provides
ACL support for UFS file
systems. Users who prefer to compile a custom kernel must
include the following option in their custom kernel
configuration file:

options UFS_ACL

If this option is not compiled in, a warning message will be
displayed when attempting to mount a file system with
ACL support. ACLs rely on
extended attributes which are natively supported in
UFS2.

This chapter describes how to enable
ACL support and provides some usage
examples.

14.9.1.Â Enabling ACL Support

ACLs are enabled by the mount-time
administrative flag, acls, which may be added
to /etc/fstab. The mount-time flag can
also be automatically set in a persistent manner using
tunefs(8) to modify a superblock ACLs
flag in the file system header. In general, it is preferred
to use the superblock flag for several reasons:

The superblock flag cannot be changed by a remount
using mount -u as it requires a complete
umount and fresh
mount. This means that
ACLs cannot be enabled on the root file
system after boot. It also means that
ACL support on a file system cannot be
changed while the system is in use.

Setting the superblock flag causes the file system to
always be mounted with ACLs enabled,
even if there is not an fstab entry
or if the devices re-order. This prevents accidental
mounting of the file system without ACL
support.

Note:

It is desirable to discourage accidental mounting
without ACLs enabled because nasty things
can happen if ACLs are enabled, then
disabled, then re-enabled without flushing the extended
attributes. In general, once ACLs are
enabled on a file system, they should not be disabled, as
the resulting file protections may not be compatible with
those intended by the users of the system, and re-enabling
ACLs may re-attach the previous
ACLs to files that have since had their
permissions changed, resulting in unpredictable
behavior.

File systems with ACLs enabled will
show a plus (+) sign in their permission
settings:

14.9.2.Â Using ACLs

To change the ACL settings on this
file, use setfacl. To remove all of the
currently defined ACLs from a file or file
system, include -k. However, the preferred
method is to use -b as it leaves the basic
fields required for ACLs to work.

%setfacl -k test

To modify the default ACL entries, use
-m:

%setfacl -m u:trhodes:rwx,group:web:r--,o::--- test

In this example, there were no pre-defined entries, as
they were removed by the previous command. This command
restores the default options and assigns the options listed.
If a user or group is added which does not exist on the
system, an Invalid argument error will
be displayed.

Refer to getfacl(1) and setfacl(1) for more
information about the options available for these
commands.